FINANCE
Dionach
depth to the applications associated with payment processes. Combining this strategy, along with the CIA principles, should help prevent suffering the consequences of a breach. However, as a company acquires new data, new clients, and new staff, the risk to those assets need to be constantly evaluated as an integral part of an incident response plan.
the CEO would also be held accountable for the damage inflicted by the attack on the company and its negligence. While both scenarios will result in a loss of clients and severely harm the company’s reputation, the investigation and remediation costs will also be significant, possibly resulting in legal action. Not asking the right questions, relying on
BUSINESSES CAN NO LONGER FAIL TO RECOGNISE THE REAL THREAT OF CYBER-CRIME AND NEED TO UNDERSTAND THE COST FOR ADEQUATE CYBERSECURITY PROTECTION.
outdated technology, and believing a company’s officers are not liable for a cybercriminal’s actions is the wrong the way to face cybersecurity. A strong cybersecurity strategy should be centred around 3 principles: confidentiality, integrity and availability (CIA). The informational assets of a www.executive-global.com
company should not only remain confidential, but they should also not be accessible by anyone unauthorised, either internally or externally. This may sound obvious, but when looking at system-wide applications or internal software, ultimately, most employees can access data beyond their departments. Additionally, the integrity of that information should prevent any changes from unauthorised users. For example, an organisation which relies on an application to make time-critical financial decisions, should prevent changes in that code which may affect the application. Whether these changes go unnoticed is irrelevant if they ultimately cripple the operations of the application. Furthermore, if company information is confidential and retains its integrity, in a ransomware attack, the information is inaccessible because company systems are inoperable. Information is often the most valuable asset of a company, and on that basis, risks to informational assets need to be viewed as important as any other threat to the operations of a company. Applying the principles of CIA work best when the strengths and weaknesses of informational assets are identified. The systems that a company relies on for daily operations need to be the most secure and should be assessed on a regular basis; these systems are the focus of a defence-in-depth strategy. Identifying a company’s informational assets is the cornerstone to creating a strategy of defence-in-depth. For example, a company who relies on web sales for the majority of their business needs to apply defence-in-
A ROBUST CYBER DEFENCE STRATEGY A cybersecurity incident response plan will evaluate informational assets and systems which are most critical to operations and ensure they would still be accessible after a breach. Meaning backups can be restored and the information lost is kept to an absolute minimum because of these advanced simulations. Testing an incident response plan needs to be completed regularly, as does running tabletop exercises; ultimately, pushing the limits of any technology team will determine an incident response’s true effectiveness. Creating the ability to identify and react to an attack before it happens will make all the difference in the true cost of a breach. Equifax may have believed they had the necessary defences and response plans in place but are now being subjected to USD$700 million fine as a result of their 2017 breach, affecting over 148 million individuals. Cybersecurity is an investment because it a critical business tool. Ultimately, there is no way to provide complete security and no product, at any cost which will provide total protection against an attack. The best cyber strategy has a multi-faceted approach. Even the largest banks in the world rely on third parties for both protection and independent assurance of their technical vulnerabilities. Feedback from outside experts contribute to a greater level of security and allow companies to make continual improvements over time. There are too many examples of companies being crippled by their systems being unavailable or their informational assets being held by ransom. Simulating a crisis situation is an important element of cyber defence and should provide assurance that the most vital systems can be retrieved easily after a cyber-attack. Ensuring that your cyber defence strategy works is paramount to the successful operation of a company. PRIORITISING CYBERSECURITY In the future, cyber-attacks will increase in regularity and in impact, as will the costs and penalties associated with being an attack victim. The news of a cyber-attack is not as impactful because it is hard to visualise, and even though this is a widespread problem, companies do not see how their informational assets are under threat. There is not a one-size-fits-all solution to preventing cyber-attacks; attacks are complex by nature and threats grow and evolve just like any other industry. With a complex strategy and capable team, cybersecurity should enable a company to operate and grow with control and be safeguarded in an attack. Cybersecurity has not always been a top priority for companies, but by understanding the scope and scale of the damages, any CEO should be motivated to take major action. EG
For further information, please visit: www.dionach.com Summer 2019 •
39